mirror of
https://github.com/SELinuxProject/refpolicy
synced 2025-02-02 21:01:32 +00:00
Remove rolemap and per-role template support.
This support was deprecated and unused in Reference Policy November 5 2008.
This commit is contained in:
Chris PeBenito
parent
f82712416e
commit
d1af485661
@ -1,3 +1,4 @@
|
||||
- Remove rolemap and per-role template support.
|
||||
- Change corenetwork port declaration to apply the reserved port type
|
||||
attribute only, when the type has ports above and below 1024.
|
||||
- Change secure_mode_policyload to disable only toggling of this Boolean
|
||||
|
||||
44
Makefile
44
Makefile
@ -130,7 +130,6 @@ endif
|
||||
# config file paths
|
||||
globaltun = $(poldir)/global_tunables
|
||||
globalbool = $(poldir)/global_booleans
|
||||
rolemap = $(poldir)/rolemap
|
||||
user_files := $(poldir)/users
|
||||
policycaps := $(poldir)/policy_capabilities
|
||||
|
||||
@ -316,48 +315,6 @@ fs_names := "btrfs ext2 ext3 ext4 xfs jfs"
|
||||
# Functions
|
||||
#
|
||||
|
||||
# parse-rolemap-compat modulename,outputfile
|
||||
define parse-rolemap-compat
|
||||
$(verbose) $(M4) $(M4PARAM) $(rolemap) | \
|
||||
$(AWK) '/^[[:blank:]]*[A-Za-z]/{ print "gen_require(type " $$3 "; role " $$1 ";)\n$1_per_userdomain_template(" $$2 "," $$3 "," $$1 ")" }' >> $2
|
||||
endef
|
||||
|
||||
# parse-rolemap modulename,outputfile
|
||||
define parse-rolemap
|
||||
$(verbose) $(M4) $(M4PARAM) $(rolemap) | \
|
||||
$(AWK) '/^[[:blank:]]*[A-Za-z]/{ print "gen_require(type " $$3 "; role " $$1 ";)\n$1_per_role_template(" $$2 "," $$3 "," $$1 ")" }' >> $2
|
||||
endef
|
||||
|
||||
# perrole-expansion modulename,outputfile
|
||||
define perrole-expansion
|
||||
$(verbose) echo "ifdef(\`""$1""_per_role_template',\`" > $2
|
||||
$(call parse-rolemap,$1,$2)
|
||||
$(verbose) echo "')" >> $2
|
||||
|
||||
$(verbose) echo "ifdef(\`""$1""_per_userdomain_template',\`" >> $2
|
||||
$(verbose) echo "errprint(\`Warning: per_userdomain_templates have been renamed to per_role_templates (""$1""_per_userdomain_template)'__endline__)" >> $2
|
||||
$(call parse-rolemap-compat,$1,$2)
|
||||
$(verbose) echo "')" >> $2
|
||||
endef
|
||||
|
||||
# create-base-per-role-tmpl modulenames,outputfile
|
||||
define create-base-per-role-tmpl
|
||||
$(verbose) echo "define(\`base_per_role_template',\`" >> $2
|
||||
|
||||
$(verbose) for i in $1; do \
|
||||
echo "ifdef(\`""$$i""_per_role_template',\`""$$i""_per_role_template("'$$*'")')" \
|
||||
>> $2 ;\
|
||||
done
|
||||
|
||||
$(verbose) for i in $1; do \
|
||||
echo "ifdef(\`""$$i""_per_userdomain_template',\`" >> $2 ;\
|
||||
echo "errprint(\`Warning: per_userdomain_templates have been renamed to per_role_templates (""$$i""_per_userdomain_template)'__endline__)" >> $2 ;\
|
||||
echo """$$i""_per_userdomain_template("'$$*'")')" >> $2 ;\
|
||||
done
|
||||
$(verbose) echo "')" >> $@
|
||||
|
||||
endef
|
||||
|
||||
# detect-metaxml layer_names
|
||||
ifdef LOCAL_ROOT
|
||||
define detect-metaxml
|
||||
@ -552,7 +509,6 @@ install-headers: $(layerxml) $(tunxml) $(boolxml)
|
||||
@mkdir -p $(headerdir)
|
||||
@echo "Installing $(NAME) policy headers."
|
||||
$(verbose) $(INSTALL) -m 644 $^ $(headerdir)
|
||||
$(verbose) $(M4) $(M4PARAM) $(rolemap) > $(headerdir)/$(notdir $(rolemap))
|
||||
$(verbose) mkdir -p $(headerdir)/support
|
||||
$(verbose) $(INSTALL) -m 644 $(m4support) $(word $(words $(genxml)),$(genxml)) $(xmldtd) $(headerdir)/support
|
||||
$(verbose) $(genperm) $(avs) $(secclass) > $(headerdir)/support/all_perms.spt
|
||||
|
||||
5
README
5
README
@ -214,11 +214,6 @@ policy/modules.conf This file contains a listing of available modules, and
|
||||
in the base module; those set to "module" will be
|
||||
compiled as individual loadable modules.
|
||||
|
||||
policy/rolemap This file contains prefix and user domain type that
|
||||
corresponds to each user role. The contents of this
|
||||
file will be used to expand the per-user domain
|
||||
templates for each module.
|
||||
|
||||
policy/support/* Support macros.
|
||||
|
||||
policy/users This file defines the users included in the policy.
|
||||
|
||||
@ -73,8 +73,7 @@ $(modpkgdir)/%.pp: $(builddir)%.pp
|
||||
$(tmpdir)/%.mod: $(m4support) $(tmpdir)/generated_definitions.conf $(tmpdir)/all_interfaces.conf %.te
|
||||
@echo "Compliling $(NAME) $(@F) module"
|
||||
@test -d $(tmpdir) || mkdir -p $(tmpdir)
|
||||
$(call perrole-expansion,$(basename $(@F)),$@.role)
|
||||
$(verbose) $(M4) $(M4PARAM) -s $^ $@.role > $(@:.mod=.tmp)
|
||||
$(verbose) $(M4) $(M4PARAM) -s $^ > $(@:.mod=.tmp)
|
||||
$(verbose) $(CHECKMODULE) -m $(@:.mod=.tmp) -o $@
|
||||
|
||||
$(tmpdir)/%.mod.fc: $(m4support) %.fc
|
||||
@ -143,13 +142,8 @@ $(tmpdir)/all_interfaces.conf: $(m4support) $(all_interfaces) $(m4iferror)
|
||||
$(verbose) $(SED) -e s/dollarsstar/\$$\*/g $(tmpdir)/$(@F).tmp >> $@
|
||||
@echo "divert" >> $@
|
||||
|
||||
$(tmpdir)/rolemap.conf: M4PARAM += -D self_contained_policy
|
||||
$(tmpdir)/rolemap.conf: $(rolemap)
|
||||
$(verbose) echo "" > $@
|
||||
$(call parse-rolemap,base,$@)
|
||||
|
||||
$(tmpdir)/all_te_files.conf: M4PARAM += -D self_contained_policy
|
||||
$(tmpdir)/all_te_files.conf: $(m4support) $(tmpdir)/generated_definitions.conf $(tmpdir)/all_interfaces.conf $(base_te_files) $(tmpdir)/rolemap.conf
|
||||
$(tmpdir)/all_te_files.conf: $(m4support) $(tmpdir)/generated_definitions.conf $(tmpdir)/all_interfaces.conf $(base_te_files)
|
||||
ifeq "$(strip $(base_te_files))" ""
|
||||
$(error No enabled modules! $(notdir $(mod_conf)) may need to be generated by using "make conf")
|
||||
endif
|
||||
|
||||
@ -131,11 +131,7 @@ $(tmpdir)/all_interfaces.conf: $(m4support) $(all_interfaces) $(m4iferror)
|
||||
$(verbose) $(SED) -e s/dollarsstar/\$$\*/g $(tmpdir)/$(@F).tmp >> $@
|
||||
@echo "divert" >> $@
|
||||
|
||||
$(tmpdir)/rolemap.conf: $(rolemap)
|
||||
$(verbose) echo "" > $@
|
||||
$(call parse-rolemap,base,$@)
|
||||
|
||||
$(tmpdir)/all_te_files.conf: $(m4support) $(tmpdir)/generated_definitions.conf $(tmpdir)/all_interfaces.conf $(all_te_files) $(tmpdir)/rolemap.conf
|
||||
$(tmpdir)/all_te_files.conf: $(m4support) $(tmpdir)/generated_definitions.conf $(tmpdir)/all_interfaces.conf $(all_te_files)
|
||||
ifeq "$(strip $(all_te_files))" ""
|
||||
$(error No enabled modules! $(notdir $(mod_conf)) may need to be generated by using "make conf")
|
||||
endif
|
||||
|
||||
@ -1,13 +0,0 @@
|
||||
#
|
||||
# This file contains the mappings
|
||||
# used for per-role template
|
||||
# infrastructure. Each line describes
|
||||
# the prefix and user domain type
|
||||
# corresponding to each role.
|
||||
#
|
||||
# syntax: role prefix user_domain
|
||||
#
|
||||
|
||||
# This support has been deprecated and
|
||||
# will be removed in the future. Note: No
|
||||
# per-role templates exist in refpolicy.
|
||||
@ -84,8 +84,6 @@ header_layers := $(filter-out $(HEADERDIR)/support,$(shell find $(wildcard $(HEA
|
||||
header_xml := $(addsuffix .xml,$(header_layers))
|
||||
header_interfaces := $(foreach layer,$(header_layers),$(wildcard $(layer)/*.if))
|
||||
|
||||
rolemap := $(HEADERDIR)/rolemap
|
||||
|
||||
local_layers := $(filter-out CVS tmp $(docs),$(shell find $(wildcard *) -maxdepth 0 -type d))
|
||||
local_xml := $(addprefix tmp/, $(addsuffix .xml,$(local_layers)))
|
||||
|
||||
@ -108,35 +106,6 @@ vpath %.te $(local_layers)
|
||||
vpath %.if $(local_layers)
|
||||
vpath %.fc $(local_layers)
|
||||
|
||||
########################################
|
||||
#
|
||||
# Functions
|
||||
#
|
||||
|
||||
# parse-rolemap-compat modulename,outputfile
|
||||
define parse-rolemap-compat
|
||||
$(verbose) $(M4) $(M4PARAM) $(rolemap) | \
|
||||
$(AWK) '/^[[:blank:]]*[A-Za-z]/{ print "gen_require(type " $$3 "; role " $$1 ";)\n$1_per_userdomain_template(" $$2 "," $$3 "," $$1 ")" }' >> $2
|
||||
endef
|
||||
|
||||
# parse-rolemap modulename,outputfile
|
||||
define parse-rolemap
|
||||
$(verbose) $(M4) $(M4PARAM) $(rolemap) | \
|
||||
$(AWK) '/^[[:blank:]]*[A-Za-z]/{ print "gen_require(type " $$3 "; role " $$1 ";)\n$1_per_role_template(" $$2 "," $$3 "," $$1 ")" }' >> $2
|
||||
endef
|
||||
|
||||
# peruser-expansion modulename,outputfile
|
||||
define peruser-expansion
|
||||
$(verbose) echo "ifdef(\`""$1""_per_role_template',\`" > $2
|
||||
$(call parse-rolemap,$1,$2)
|
||||
$(verbose) echo "')" >> $2
|
||||
|
||||
$(verbose) echo "ifdef(\`""$1""_per_userdomain_template',\`" >> $2
|
||||
$(verbose) echo "errprint(\`Warning: per_userdomain_templates have been renamed to per_role_templates (""$1""_per_userdomain_template)'__endline__)" >> $2
|
||||
$(call parse-rolemap-compat,$1,$2)
|
||||
$(verbose) echo "')" >> $2
|
||||
endef
|
||||
|
||||
.PHONY: clean all xml load reload
|
||||
.SUFFIXES:
|
||||
.SUFFIXES: .pp
|
||||
@ -185,8 +154,7 @@ reload: $(all_packages)
|
||||
tmp/%.mod: $(m4support) tmp/all_interfaces.conf %.te
|
||||
@$(EINFO) "Compiling $(NAME) $(basename $(@F)) module"
|
||||
@test -d $(@D) || mkdir -p $(@D)
|
||||
$(call peruser-expansion,$(basename $(@F)),$@.role)
|
||||
$(verbose) $(M4) $(M4PARAM) -s $^ $@.role > $(@:.mod=.tmp)
|
||||
$(verbose) $(M4) $(M4PARAM) -s $^ > $(@:.mod=.tmp)
|
||||
$(verbose) $(CHECKMODULE) -m $(@:.mod=.tmp) -o $@
|
||||
|
||||
tmp/%.mod.fc: $(m4support) %.fc
|
||||
|
||||
Loading…
Reference in New Issue
Block a user